[sudo-users] uid switching vs resource limits

[Teodor Milkov]

Hello,

I found that current version of sudo that's included in Debian 8 Jessie 
(1.8.10p3-1+deb8u2) has different behavior compared to the one in Debian 
7 Wheezy  (1.8.5p2-1+nmu2) in regard to resource limits.

In 1.8.5 resource limits were not enforced during privilege switching:

  $ sudo -V
  Sudo version 1.8.5p2
  Sudoers policy plugin version 1.8.5p2
  Sudoers file grammar version 41
  Sudoers I/O plugin version 1.8.5p2

  $ ulimit -u 50
$ ulimit -u
50

  $ sudo bash -c "ulimit -u"
  50

  $ sudo bash -c "sh -c ulimit -u"
  unlimited

In 1.8.10 resource limits are retained:

  $ sudo --version
  Sudo version 1.8.10p3
  Sudoers policy plugin version 1.8.10p3
  Sudoers file grammar version 43
  Sudoers I/O plugin version 1.8.10p3

  $ ulimit -u 50
  $ ulimit -u
50

  $ sudo bash -c "ulimit -u"
  sudo: PERM_ROOT: setresuid(0, -1, -1): too many processes

What is the recommended way to get the old behavior?

I looked through the man pages, but didn't find the answer. Also glanced 
quickly over the code and there's some relevand handling in src/sudo.c:

     /*
      * Unlimit the number of processes since Linux's setuid() will
      * return EAGAIN if RLIMIT_NPROC would be exceeded by the uid switch.
      */
     unlimit_nproc();

#ifdef HAVE_SETRESUID
     if (setresuid(details->uid, details->euid, details->euid) != 0) {
     warning(U_("unable to change to runas uid (%u, %u)"), details->uid,
         details->euid);
     goto done;
     }
#elif defined(HAVE_SETREUID)
+---  5 lines: if (setreuid(details->uid, details->euid) != 0) 
{----------------
#else
+---  5 lines: if (seteuid(details->euid) != 0 || setuid(details->euid) 
!= 0) {-
#endif /* !HAVE_SETRESUID && !HAVE_SETREUID */

     /* Restore previous value of RLIMIT_NPROC. */
     restore_nproc();

But it seems uid switching is going via completely different code path 
(plugins/sudoers/set_perms.c) in the newer sudo?


Best regards,
Teodor